CVE-2026-32757
Received Received - Intake
Cross-Site Scripting in Admidio eCard Email Handler

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $_POST['ecard_message'] value instead of the HTMLPurifier-sanitized $formValues['ecard_message'] when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent to other members, bypassing the server-side HTMLPurifier sanitization that is properly applied to the ecard_message field during form validation. An attack can result in any member or role receiving phishing content that appears legitimate, crossing from the web application into recipients' email clients. This issue has been fixed in version 5.0.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32757
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
admidio admidio to 5.0.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-32757 is a moderate severity vulnerability in the Admidio open-source user management solution, specifically in its eCard feature for versions 5.0.6 and below.'}, {'type': 'paragraph', 'content': "The issue arises because the eCard send handler uses the raw POST parameter 'ecard_message' instead of the properly sanitized version when constructing the greeting card HTML for emails. Although the input is sanitized during form validation using HTMLPurifier, the code mistakenly uses the unsanitized input when generating the email content."}, {'type': 'paragraph', 'content': 'This flaw allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent to other members, bypassing server-side sanitization.'}, {'type': 'paragraph', 'content': 'As a result, malicious content such as phishing links, fake forms, or tracking pixels can be embedded in emails, potentially deceiving recipients and crossing security boundaries from the web application into email clients.'}, {'type': 'paragraph', 'content': 'The vulnerability has been fixed in version 5.0.7 by ensuring the sanitized input is used when generating the email content.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can impact you by allowing an authenticated attacker within the Admidio system to send greeting card emails containing malicious HTML or JavaScript to other members.'}, {'type': 'paragraph', 'content': 'Such injected content can be used for phishing attacks that appear legitimate because they come from a trusted internal system.'}, {'type': 'paragraph', 'content': "The attacker can embed fake forms, tracking pixels, or malicious scripts that may execute in recipients' email clients, especially if those clients do not adequately block such content."}, {'type': 'paragraph', 'content': 'This crosses security boundaries by affecting users outside the web application, potentially compromising confidentiality and integrity of communications.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by identifying if your Admidio installation is running version 5.0.6 or below and if the eCard send handler is using the unsanitized $_POST['ecard_message'] value when sending greeting card emails."}, {'type': 'paragraph', 'content': "To detect exploitation attempts on your system or network, you can monitor HTTP POST requests to the eCard send endpoint (typically modules/photos/ecard_send.php) for suspicious or unexpected HTML or JavaScript content in the 'ecard_message' parameter."}, {'type': 'paragraph', 'content': 'Example commands to detect such activity might include:'}, {'type': 'list_item', 'content': "Using web server logs, search for POST requests containing suspicious HTML or script tags in the 'ecard_message' parameter, e.g., using grep: grep -i 'ecard_message=.*<script' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Using network monitoring tools like tcpdump or Wireshark to filter HTTP POST traffic to the eCard send URL and inspect payloads for injected HTML or JavaScript.'}, {'type': 'list_item', 'content': 'If you have access to the application database, query the stored eCard messages for suspicious HTML content that might indicate exploitation.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade Admidio to version 5.0.7 or later, where this vulnerability has been fixed.'}, {'type': 'paragraph', 'content': "If upgrading immediately is not possible, you should modify the eCard send handler code to use the sanitized input instead of the raw POST data. Specifically, change the code in modules/photos/ecard_send.php to assign the sanitized $formValues['ecard_message'] to the variable used for email content instead of $_POST['ecard_message']."}, {'type': 'paragraph', 'content': 'Additionally, applying encoding or escaping in the method that inserts the eCard message into the email template (ECard::parseEcardTemplate) can provide defense-in-depth.'}, {'type': 'paragraph', 'content': 'Restrict access to the photo module and eCard sending functionality to trusted authenticated users only, as the vulnerability requires authentication.'}, {'type': 'paragraph', 'content': 'Monitor outgoing emails for suspicious content and inform users to be cautious of unexpected or suspicious eCards.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32757. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart